Although cyber security breaches continue to make dramatic headlines, much early regulatory action from the UK’s ICO and across the EU – in terms of fines and enforcement notices – has been in basic areas of compliance: inadequate legal consent to market to target customers, illegal grounds for processing employee data, inadequate supplier/processor contract clauses, slow or inadequate responses to DSARs (data subject access requests) and absence of DPIAs (data protection impact assessments).
While the overall pan-EU enforcement strategy is not clear, at this stage, it does seem that it is easier for Supervisory Authorities to respond – and make decisions about – matters that are relatively black and white. Breaches take significant investigatory effort and identifying the sequence of events and determining liability can be complex whereas a decision that a processor contract does not meet legal requirements, or that marketing consent does not pass the relevant test, or that a DSAR has not been answered within the relevant time frame, is straightforward.
Regulatory actions mask wider non-compliance state
It is equally straightforward to identify that an organisation that should have appointed a DPO, hasn’t – or that should have carried out a DPIA, hasn’t. While the fines may not be as substantial as those that accompany data breaches, they are still fines and dealing with them still takes substantial management time. Inevitably, too, the omission that leads to regulatory action often masks a wider non-compliance state and so organisations can find themselves having to pay a fine, while also having to change an illegal behaviour and, at the same, having to fix this behaviour in a number of other parts of the business – because repeat offences are likely to carry rapidly escalating fines.
The conclusion: make sure that you are meeting all the basic GDPR compliance requirements.
Critical GDPR compliance actions to take right now
- a complete and adequate data processing notice;
- genuine and legal grounds for processing all elements of personal data;
- legally appropriate clauses in all contractor/processor contracts;
- DPIAs and data flow maps carried out where necessary and – particularly if you are outside the EU –
- the appointment of an EU representative and all the necessary compliance steps to enable the export of personal data from the EU.
Get the right legal expertise. Get certainty over your GDPR compliance status
Speak to the team at GRCI Law about our Privacy as a Service offering – it’s a quick and efficient way of addressing all the above issues and making sure that you stay out of regulatory harm’s way. Privacy as a Service is a flexible, holistic solution that covers all aspects of data protection and data privacy to support your ongoing GDPR compliance journey.